GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption 3.0.

Transcription

1 GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption Security Target Version 2.01 Common Criteria EAL4 augmented with ALC_FLR.3 October 20, Brannan Street, Suite 400, San Francisco CA Fax

2 Contents 1.0 Introduction Identification ST Overview Common Criteria Conformance Document Organization Document Conventions TOE Description Product Description TOE Physical Boundary and Scope of Evaluation Logical Boundary Evaluated Security Features Evaluated Configuration TOE Security Environment Assumptions Threats Organizational Security Policies Security Objectives Security Objectives for the TOE Security Objectives for the Environment IT Environmental Security Objectives Non-IT Environmental Security Objectives IT Security Requirements TOE Security Requirements TOE Security Functional Requirements TOE Security Assurance Requirements Strength of Function Security Requirements for the IT Environment TOE Summary Specification GuardianEdge Technologies Inc. Page ii of 75

3 6.1 Security Audit Cryptographic Support Hard disk encryption Removable Storage Encryption Data Protection Identification and Authentication Security Management TOE Protection Access Banner SOF Claims TOE Assurance Measures Protection Profile Claims Rationale Security Objectives Rationale Security Objectives Rationale for Threats Assumptions Addressed All Objectives covered Security Requirements Rationale Assurance Rationale Explicitly Stated Requirements Rationale Dependencies Rationale for Dependencies Not Satisfied Rationale that IT Security Requirements are Internally Consistent TOE Summary Specification Rationale IT Security Functions Rationale Rationale for Assurance Measures to Security Assurance Requirements Strength of Function Claims List of Acronyms Glossary References GuardianEdge Technologies Inc. Page iii of 75

4 Tables Table 1 Identification Summary... 5 Table 2 TOE SFRs Table 3 Management of TSF Data in the TOE...23 Table 4 Functional Components for the IT environment Table 5 Mapping TOE Security Functions and Requirements Table 6 Audit Record Information Table 7 Authentication methods, authentication keys and cryptographic operations Table 8 Subsystems and Processing Environments Table 9 Mapping of Assurance Requirements to Assurance Measures Table 10 Threats, Objectives, and Rationale Table 11 Mapping of Assumptions to Objectives...51 Table 12 Reverse Mapping of Security Objectives to Threats/Assumptions Table 13 Mapping of Security Objectives to Security Functional Requirements Table 14 Reverse mapping of SFRs to Security Objectives Table 15 Rationale for Explicit Requirements Table 16 TOE Dependencies Satisfied Table 17 IT Environment Dependencies are Satisfied Table 18 Dependencies Not Satisfied Table 19 Management Specifications Complete...64 Table 20 Mapping SFRs to TOE Summary Specification Rationale GuardianEdge Technologies Inc. Page iv of 75

5 1.0 Introduction 1.1 Identification The following table provides the required identification of the GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption Security Target. Table 1 Identification Summary Title GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption Security Target ST Version 2.01 Vendor TOE Assurance Level Protection Profile Conformance GuardianEdge, San Francisco, CA GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption EAL4 augmented with ALC_FLR.3 None FIPS Status Level 1, Validated crypto module, Certificate No. 515 Encryption Library Encryption Plus Cryptographic Library ST Overview This Security Target (ST) defines the Information Technology (IT) security requirements for the GuardianEdge Data Protection Framework, GuardianEdge Hard Disk Encryption, and GuardianEdge Removable Storage Encryption (collectively referred to as the GuardianEdge Platform ). The GuardianEdge Platform provides transparent encryption services for hard disks and removable storage devices on computers running Windows XP. It employs full disk encryption, pre-windows authentication, and on-the-fly disk decryption/encryption at the device driver level to provide complete protection of data on Windows-based notebook and desktop systems. It also protects information on removable storage devices such as USB flash drives. 1.3 Common Criteria Conformance This document conforms to the Common Criteria (CC) for Information Technology (IT) Security Evaluation, Version 2.3, dated August 2005 (International Standard ISO/IEC 15408). The TOE is Part 2 extended, Part 3 conformant, and Evaluation Assurance Level (EAL) 4 conformant GuardianEdge Technologies Inc. Page 5 of 75

6 1.4 Document Organization Section 1, Introduction, identifies the ST and presents the overview. This section also includes document conventions and organization, the CC conformance statement, and a list of CC and product-specific acronyms. Section 2, TOE Description, defines the product type, scope, and boundaries. Section 3, TOE Security Environment cites assumptions regarding the TOE's intended use and environment, and identifies potential threats. Section 4, Security Objectives, identifies the TOE security objectives and describes how they would meet a security problem. Section 5, Security Requirements, addresses Security Functional Requirements, Security Requirements for the IT environment, and the Security Assurance Requirements. Section 6, TOE Summary Specification, provides a summary of the IT Security Functions and Assurance Measures. Section 7, Protection of Profile Claims, This section is non-applicable. ST does not include PP conformance. Section 8, Rationale, provides evidence confirming that the ST contains a complete, cohesive set of requirements, and that a TOE in conformance with the requirements would provide effective IT security countermeasures within the security environment of the evaluated configuration. Three types of rationale are presented: Security Objective, Security Requirement, and TOE Summary Specification. Glossary, defines the terms used in this document. References, provides various references for technical standards. 1.5 Document Conventions Iterations are identified by parentheses, for example FIA_UAU.2(1). Assignment and selection operations are identified by bold, italicized text within brackets: [assignment or selection value]. Refinements are identified by bold text. Explicitly stated requirements are identified by the tag EXP, for example FPT_SEP_ENV_EXP GuardianEdge Technologies Inc. Page 6 of 75

7 2.0 TOE Description 2.1 Product Description The GuardianEdge Platform provides transparent encryption services for hard disks and removable storage devices on computers running Windows XP. It employs full disk encryption, pre-boot authentication, and onthe-fly disk decryption/encryption at the device driver level to provide complete protection of data on Windowsbased notebook and desktop systems. It also protects information on removable storage devices such as USB flash drives. The GuardianEdge Platform is intended for use in computing environments where there is a potential for attackers possessing a moderate attack potential. The GuardianEdge Platform protects data at rest on the hard disk and on removable devices from unauthorized access. The GuardianEdge Platform uses its own FIPS validated cryptographic library to perform the cryptographic operations necessary to protect data, support authentication, and self-protect itself against tampering or bypass. The product uses Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode with 256-bit keys to perform bulk encryption on administrator-specified partitions of hard disks and removable storage devices on a Client Computer. During the initial encryption process, the GuardianEdge Platform encrypts all data on the hard disk except its own set of files that runs in the pre-windows environment: the GuardianEdge Pre-Boot Authentication component (GPBA). The GPBA is called by the BIOS and creates its own pre-windows environment to perform the authentication and subsequent decryption to start the operating system. The product s scope of protection includes the Windows operating system files, swap files, hibernation files, paging files, executables and all data stored on the hard disk. For removable storage devices encryption happens on a per file basis; the initial encryption of a given file happens when that file is written to the removable device. The product s pre-windows authentication function prevents Windows from loading until a registered GuardianEdge user successfully authenticates. Once authenticated, users gain access to Windows and to all applications and data, subject to the operating and application access controls. In a multi-user environment, the GuardianEdge Platform provides access control for the initial user starting the computer; subsequent users are authenticated by the operating system. The product offers several authentication options, including an Advanced Authentication module that supports tokens utilizing PKCS #11 access and X.509 certificates, and a Single Sign-On mechanism that synchronizes the GuardianEdge password with a Windows password. The password-based mechanism and its supporting authentication failure and password complexity requirements are the evaluated options. For data on hard disk, following pre-boot authentication, the GuardianEdge Platform makes the data available transparently to users and applications via the operating system by performing on-the-fly decryption at the device driver level. The data is then re-encrypted when written back to disk. By providing the cryptographic services at the device driver level, the GuardianEdge Platform is able to protect all the data and function automatically and transparently this ensures that the user s usual work flow is not disrupted and that security is always applied, rather than depending on users requesting the protection GuardianEdge Technologies Inc. Page 7 of 75

8 For data on removable storage devices, new files are automatically encrypted whenever they are written to the removable device. Depending on the configuration, existing plaintext files already on the removable storage device may be either left in plaintext or automatically encrypted. The evaluated configuration is for automatic encryption of pre-existing files to be disabled. Access is provided to encrypted files via on-the-fly decryption at the device driver level. Data for encrypted files is re-encrypted when data parts of that file are written back to disk. This ensures that the user s usual work flow is not disrupted, and that security of any files originating from the computer the removable storage device is attached to are encrypted automatically rather than depending on users requesting protection on a per file basis. In addition to AES bulk encryption, the GuardianEdge Platform uses Elliptic Curve Cryptography (ECC) asymmetric cryptographic algorithms to protect keys and authentication data and the SHA-1 hash function to verify the integrity of data, keys and code. The administration of the GuardianEdge Platform follows the simplicity tenet for security architectures. A GuardianEdge Manager component, separate from the Client Computer, is used to create a set of installation files for the Client Computer. These files are copied to the Client Computer and when run install the Client Computer components, which provide the evaluated security functions. A console on the Client Computer provides an administrative interface to remove registered users and manage users passwords. Registered users self-register during the logon process; Client Administrators are defined by the Policy Administrator during installation. 2.2 TOE Physical Boundary and Scope of Evaluation The evaluated configuration of the GuardianEdge Platform comprises the software components listed below. The TOE includes all product components; however, in the evaluated configuration, some components do not provide any security functions and are therefore outside the scope of some assurance evaluation activities. The following TOE components provide security functions in the evaluated configuration: GuardianEdge Pre-Boot Authentication operates in the pre-windows environment to provide pre-windows authentication, decryption services to start the operating system, self-tests, a master boot record to interface with the BIOS, and a file storage mechanism to support these functions, referred to as the GuardianEdge File System (GEFS). GuardianEdge Hard Disk Encryption includes a kernel-mode driver that performs on-the-fly decryption and encryption of data on the client hard disk. GuardianEdge Removable Storage Encryption includes a kernel-mode driver that performs decryption and encryption of data on the removable storage devices, and provides per-file password-based access control as required to decrypt files accessed on devices. GuardianEdge Data Protection Framework provides the cryptographic library and Client Console interface. The following TOE components do not provide any security functions in the evaluated configuration: The GuardianEdge Manager is used by the Policy Administrator to create the Client Computer installation package, which is saved as a set of installation files on the GuardianEdge Manager computer. Various mechanisms can transfer the installation files from the management computer to the Client Computer. This component does not communicate with the TOE in the evaluated configuration. A network connection 2008 GuardianEdge Technologies Inc. Page 8 of 75

9 between the server and the client is not required. In the evaluated configuration, the GuardianEdge Manager is used in pre-installation only. GuardianEdge Platform support on the Client Computer. The optional GuardianEdge Advanced Authentication module, which supports secondary authentication devices. The optional GuardianEdge Server, provided with the product to support distributed administration. Client Administrator User Note: There is no communication between the Client Computer and the Manager Computer in the evaluated configuration Policy Administrator GuardianEdge Pre-Boot Authentication (GPBA) Auditing Client Console Registration Wizard CD/DVD Removable Storage Service GuardianEdge Manager console Optional Network Connection Used to make client installation packages only Framework/Hard Disk Services Dynamic Cryptographic Libraries Client Database 32-Bit Drivers Pre-Windows Windows Hard Disk Media Removable Media Windows Client Computer Manager Computer GuardianEdge Components and TOE Boundary The TOE relies on the following IT environment components to support the evaluated security functions: The Client Computer including Windows XP Service Pack 3, x86 platform, hard disk and removable storage components and device drivers The Manager Computer including Windows 2003 Server, Service Pack 2, x86 platform with storage media for the client installation package files GuardianEdge Technologies Inc. Page 9 of 75

10 2.3 Logical Boundary EVALUATED SECURITY FEATURES The GuardianEdge Platform provides the security functions listed below. All security functions, and their associated security functional requirements (SFRs), are provided by the TOE components on the Client Computer. The GuardianEdge Manager is used for the installation process only and provides no security functions in the evaluated configuration. Support required for the TOE s IT environment is noted for each service. 1. Security Audit The TOE auditing service generates audit records into the Windows system event log of the Client Computer operating system. It captures security events related to use of the authentication mechanism, initial encryption activity, and the startup and shutdown of the TOE client. The TOE auditing service is automatically started with the start-up of the TOE client, and there is no interface to turn off the audit mechanism and no interface to change the security events being audited. The audit function requires the following support from the TOE s IT environment: The OS to protect the Windows system event log to ensure it s protected from unauthorized deletion and modification. The platform to provide reliable time when required to ensure the audit records have meaningful timestamps. The OS to provide an interface to view the audit records in the Windows system event log. 2. Data Protection The TOE uses its FIPS140-2 cryptographic functions, described below, to ensure all data on the hard disk partitions, as designated by an administrator, is protected by encryption when not in use (i.e., at rest). Except for the GEFS files (to bootstrap the system), the encryption covers all the data on the selected hard disk partitions, including system files, e.g., Windows operating system files, registry, swap files, hibernation files, paging files. A per computer key is used to encrypt all data on the hard disk; this key is called the Workstation Encryption Key (WEK). The data protection function also ensures the data is available when requested and that both the encryption process (to protect the data when at rest) and the decryption process (to make the data available to registered users) is done transparently to the user, referred to as on-the-fly decryption/encryption. This transparent operation ensures enforcement and doesn t rely on users activating the function. Data on removable storage devices is encrypted on a per file basis. Files are automatically encrypted when written to the device. Encrypted files are decrypted when accessed and encrypted when written. Depending on the configuration, pre-existing plaintext files may be either automatically encrypted, or left as plaintext. The evaluated configuration is for pre-existing files to be left in plaintext. A per file key is used to encrypt files on removable storage devices; this key is called the File Encryption Key (FEK) GuardianEdge Technologies Inc. Page 10 of 75

11 The data protection function requires the platform to be operating correctly, both in general for supporting the TOE processes and in particular for loading the TOE kernel-mode device drivers as configured in the installation process and processing the bits to ensure they pass through the TOE for the specified partitions. 3. Cryptographic Services The TOE includes cryptographic libraries that provide cryptographic support for the following security functions: Authentication process password check Elliptic Curve Cryptography (ECC) SHA-1 New user registration ECC RNG Initial encryption and transparent decryption: AES in CBC mode. Self-tests and integrity checks: SHA-1 and CRC. The IT environment is only required to operate correctly to support the cryptographic services security function. 4. Identification and Authentication The TOE provides an identification and authentication (I&A) mechanism that requires all users to identify and authenticate themselves during the startup of the Client Computer, before the operating system is loaded and before users log on to their Windows accounts. This is referred to as pre-windows authentication. In addition to the pre-windows authentication requirement, the TOE also requires all users to log on again when accessing the GuardianEdge Client console. Supporting the password-based mechanism, the TOE obscures the password users enter on the TOE logon screens. It provides an authentication failure mechanism and password management options that defines parameters for acceptable passwords. The identification and authentication function depends on the operating system to identify and authenticate the Client Computer users after startup, and the platform to provide an accurate clock to measure one minute, the delay in the logon process for the authentication failure mechanism. As with all the security functions, it also requires the support provided as part of the Partial Self-Protection, described below, both in general and in particular for activating the TOE as part of the pre-windows start-up process. 5. Security Management The TOE includes an administrative interface for Client Administrators to remove users, change passwords, and perform initial encryption on selected partitions. Registered users also use this interface to change their passwords. The GuardianEdge Platform in its evaluated configuration is designed to require minimum administration during normal operation. The Client Administrator, using the Client Console, is also able to verify the evaluated configuration settings. New users are added to the TOE through a self-registration 2008 GuardianEdge Technologies Inc. Page 11 of 75

12 process coordinated with the operating system logon for subsequent users after startup of the Client Computer. The IT environment is required to operate correctly to support this security function. 6. Partial Self-Protection Working in concert with its platform the TOE provides a security architecture and security mechanisms to ensure the TSF cannot be bypassed, corrupted, or otherwise compromised. The TOE relies on its platform for domain separation of TSF processes, for non-bypassability, for access controls on file protections, and for correct operation of the BIOS and media driver data processing. 7. Access Banner The TOE displays an advisory warning access banner as part of its logon screen. The banner and warning are defined by the Policy Administrator during the installation process EVALUATED CONFIGURATION Physical Components: Client platform: Windows XP, with Service Pack 3 Manager console platform: Windows Server 2003, with Service Pack 2 Installation Configuration: GuardianEdge Server not installed. Client Monitor by checking in with platform disabled. The two password recovery tools: Authenti-Check and One-Time Password disabled. I&A optional mechanisms: Single Sign-On is disabled. Token authentication ( Advanced Authentication ) is disabled. Autologon is disabled. Grace restarts are disabled (set to zero). Initial Encryption configuration: Manual encrypt or decrypt partition enabled for Client Administrator only, not registered users. Unused sectors are included in the encryption. Removable Storage configuration: GuardianEdge Hard Disk Encryption is installed and all hard disk partitions of the protected operating system and associated user data partitions and swap partitions are encrypted. The GuardianEdge Removable Storage Access Utility is not used. Encryption policy set to Encrypt New Files GuardianEdge Technologies Inc. Page 12 of 75

13 The option to automatically encrypt pre-existing plaintext on removable devices is disabled. The creation of self-extracting files is disabled. Non-registered user support is disabled. The access policy is set to read and write. Encryption method is set to password. Certificate (token and software based) encryption is disabled and/or not used. Group Key feature is disabled. No Master Certificate specified. Password policy: The specific password policy configuration for the evaluated configuration is provided in SOF Claims on page 41. A logon delay of one minute after a configured number of incorrect logons is enabled. 3.0 TOE Security Environment 3.1 Assumptions The following is a list of assumptions regarding the security environment in which the TOE operates. A.NET_ACC It is assumed if the Client Computer is connected to a network, then remote users are required to log on to the Windows operating system to gain access, and that file sharing and other network services that don t require a Windows logon and provide remote access to data stored on the Client Computer media are either disabled or there are appropriate network authentication and confidentiality services. A.NO_EVIL It is assumed that administrators are non-hostile, appropriately trained and follow all administrator guidance. A.NO_MALWARE It is assumed that environment procedures will ensure that the operating environment for the TOE runs only software, firmware, or hardware that has been approved by the security officer. A.NO_UAT It is assumed that users do not leave the GuardianEdge Client Computer unattended when they are logged on. A.USERS It is assumed that users will protect their authentication data. A.NO_LOCAL_ADMIN It is assumed that the user is not defined as a local administrator and has not been given local administrative privileges GuardianEdge Technologies Inc. Page 13 of 75

14 3.2 Threats Threat agents are assumed to have an attack potential of medium for all threats. As a result, the TOE has been developed with the assumption that a potential attacker would have a medium level of expertise, access to a medium level of resources, and also possess a medium level of motivation. The following threats are countered by the TOE: T.IMPROPER_NOTICE If proper notice of restricted use or other binding conditions is not provided, organizations may not be able to pursue legal sanctions. This would result in decreased effectiveness of administrative controls for protecting assets. T.MASQUERADE A malicious user or external IT entity may masquerade as another entity in order to gain unauthorized access to the Client Computer media assets. T.TSF_COMPROMISE A user or process may cause TSF data or executable code to be inappropriately accessed (viewed, modified, or deleted). T.UNAUTHORIZED_MEDIA_ACCESS An unauthorized user with physical access to the Client Computer may access assets stored on the hard disk and removable storage devices encrypted partitions by subverting the normal computer start-up processes or by removing the media from the computer. T.UNIDENTIFIED_ACTIONS The administrator may not have the ability to notice potential security violations, thus limiting the administrator s ability to identify and take action against a possible security breach and hold persons accountable for their actions. 3.3 Organizational Security Policies There are no organizational security policies governing the secure use of the TOE. 4.0 Security Objectives 4.1 Security Objectives for the TOE O.AUDIT_GENERATION The TOE will provide the capability to detect and create records of security relevant events associated with users. O.CORRECT_ TSF_OPERATION The TOE will provide the capability to test the TSF to ensure the correct operation of the TSF at a customer s site GuardianEdge Technologies Inc. Page 14 of 75

15 O.DISPLAY_BANNER The TOE will display an advisory warning regarding use of the TOE. O.MANAGE The TOE will provide all the functions and facilities necessary to support the administrators in their management of the security of the TOE, and restrict these functions and facilities from unauthorized use. O.MEDIASEC The TSF must be able to protect the Client Computer media assets on the Client Administrator-specified hard disk partitions and removable storage devices, using encryption. O.PARTIAL_SELF_PROTECTION The TSF will maintain a domain for its own execution, and implement an architecture and mechanisms that protects itself and its resources from external interference, tampering, or unauthorized disclosure through its own interfaces. O.PARTIAL_TOE_ACCESS The TSF will provide mechanisms that control user s logical access to the TOE Client Console and to the TOE mechanism that allows the Client Computer to start-up and make protected data available to the Client Computer users. O.TRANSPARENT_ENFORCED_ACCESS The TSF must be able to provide authorized users and system processes read and write access to the Client Computer encrypted partitions in a manner that is transparent to users. This ensures that the mechanism is always invoked and that the data is available to the system, authorized users, and applications and is encrypted when not in use and stored on the encrypted partitions. 4.2 Security Objectives for the Environment IT ENVIRONMENTAL SECURITY OBJECTIVES The following security objectives are part of the IT environment in which the TOE operates. OE.AUDIT_SUPPORT The IT environment will provide the capability to view audit information, and will protect the stored audit records from unauthorized modification and deletion, and will provide a timestamp for the audit records. OE.PARTIAL_TOE_PROT The TSF Environment shall provide virtual memory management, execution rings for executing user software and kernel processes to protect the TOE processes from interference and tampering, and file protection to prevent unauthorized access and modifications to TOE. OE.TIMESTAMP The TOE computing platform will provide reliable time GuardianEdge Technologies Inc. Page 15 of 75

16 OE.TOE_ENVIR_ACCESS The IT environment will provide the capability to control users logical access to the Client Computer after its startup NON-IT ENVIRONMENTAL SECURITY OBJECTIVES This section contains policy- and personnel-related security objectives for the environment in which the TOE operates. ON.NET_ACC The environment procedures will ensure that the operational environment is suitable for the threats the TOE is designed to meet. For example, if the Client Computer is connected to a network, then remote users are required to log on to the Windows operating system to gain access, and that file sharing and other network services that don t require Windows logon and provide remote access to data stored on the Client Computer media are either disabled or there are appropriate network authentication and confidentiality services. ON.NO_EVIL The environment procedures will ensure that administrators are non-hostile, appropriately trained and follow all administrator guidance. ON.NO_MALWARE The environment procedures will ensure that the operating environment for the TOE runs only software, firmware, or hardware that has been approved by the security officer. ON.NO_UAT The environment procedures will ensure that users do not leave the GuardianEdge Client Computer unattended when they are logged on. ON.USERS The environment procedures will ensure that users will protect their authentication data. ON.NO_LOCAL_ADMIN The environment procedures will ensure that the user is not defined as a local administrator and has not been given local administrative privileges. 5.0 IT Security Requirements 5.1 TOE Security Requirements TOE SECURITY FUNCTIONAL REQUIREMENTS The following requirements are taken from CC Part 2, except for those explicitly stated, which are denoted by _EXP in the SFR ID GuardianEdge Technologies Inc. Page 16 of 75

17 Table 2 TOE SFRs Item SFR ID SFR Title 1. FAU_GEN.1 Audit data generation 2. FAU_GEN.2 User Identity Association 3. FCS_CKM.1 Cryptographic key generation 4. FCS_CKM.4 Cryptographic key destruction 5. FCS_COP.1(1) Cryptographic Operation (AES) 6. FCS_COP.1(2) Cryptographic Operation (ECC of UPC) 7. FCS_COP.1(3) Cryptographic Operation (RNG) 8. FCS_COP.1(4) Cryptographic Operation (Secure Hash) 9. FCS_COP.1(5) Cryptographic Operation (HMAC-SHA-1) 10. FDP_IFC.2 Complete information flow control 11. FDP_IFF.1 Simple security attributes 12. FIA_AFL.1 Authentication failure handling 13. FIA_SOS.1 Verification of secrets 14. FIA_UAU.2 User authentication before any action (user access to Client Computer) 15. FIA_UAU_TOE_EXP.2 User authentication before any action (Client console) 16. FIA_UAU.7 Protected authentication feedback 17. FIA_UID.2 User identification before any action (user access to Client Computer) 18. FIA_UID_TOE_EXP.2 User identification before any action (Client console) 19. FMT_MSA.1 Management of security attributes 20. FMT_MSA.2 Secure security attributes 21. FMT_MSA.3 Static attribute initialization 22. FMT_MOF.1 Management of security functions behaviour 23. FMT_MTD.1 Management of TSF data 24. FMT_SMF.1 Specification of Management Functions 25. FMT_SMR.1 Security roles 26. FPT_RVM.1(1) Non-bypassability of the TSP (TOE) 27. FPT_SEP_TOE_EXP.1 TSF partial domain separation 2008 GuardianEdge Technologies Inc. Page 17 of 75

18 Item SFR ID SFR Title 28. FPT_TST.1 TSF testing 29. FTA_TAB.1 Default TOE access banners Security Audit (FAU) FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit. FAU_GEN.1.2 c) [ GEHD Successful and Unsuccessful logons. GEHD Management actions of initial encryption process. GEHD All changes to a user s authentication data. GEHD Number of unsuccessful authentication attempts exceeded the maximum allowed. GEHD Registered user added. GEHD Registered user removed. GERS Service started GERS Service removed GERS Service could not be removed ] The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [none]. FAU_GEN.2 User Identity Association FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the user that caused the event GuardianEdge Technologies Inc. Page 18 of 75

19 Cryptographic Support (FCS) FCS_CKM.1 Cryptographic key generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [ECES] and specified cryptographic key sizes [233-bit keys] that meet the following: [IEEE P1363 by vendor assertion]. FCS_CKM.4 Cryptographic key destruction FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [zeroization] that meets the following: [FIPS Level 1, Key Destruction and overwriting for ECC keys]. FCS_COP.1(1) Cryptographic Operation (AES) FCS_COP.1(1).1 The TSF shall perform [data encryption/decryption of media for initial encryption and on-the-fly decryption/encryption] in accordance with a specified cryptographic algorithm [AES in CBC mode ] and cryptographic key sizes [256-bit keys] that meet the following: [FIPS 197 and FIPS level 1]. FCS_COP.1(2) Cryptographic Operation (ECC of UPC) FCS_COP.1(2).1 The TSF shall perform [Elliptic Curve Cryptography encryption/decryption] in accordance with a specified cryptographic algorithm [ECES ] and cryptographic key sizes [233-bit keys] that meet the following: [IEEE-P1363 by vendor assertion]. Application Note: The ECES implementation was validated via source code review by domain experts. FCS_COP.1(3) Cryptographic Operation (RNG) FCS_COP.1(3).1 The TSF shall perform [Random Number Generation] in accordance with a specified cryptographic algorithm [FIPS appendix 3.1 with change notice 1] and cryptographic key sizes [N/A] that meet the following: [FIPS and FIPS level 1]. FCS_COP.1(4) Cryptographic Operation (Secure Hash) FCS_COP.1(4).1 The TSF shall perform [Secure Hash] in accordance with a specified cryptographic algorithm [SHA-1] and cryptographic key sizes [N/A] that meet the following: [FIPS 180-1]. FCS_COP.1(5) Cryptographic Operation (Hash MAC) FCS_COP.1(5).1 The TSF shall perform [MAC] in accordance with a specified cryptographic algorithm [HMAC-SHA-1] and cryptographic key sizes [160-bits] that meet the following: [FIPS 198] GuardianEdge Technologies Inc. Page 19 of 75

20 User Data Protection (FDP) FDP_IFC.2 Complete information flow control FDP_IFC.2.1 The TSF shall enforce the [On-the-Fly Decryption/Encryption SFP] on [ subjects: all processes that access the client hard disk encrypted partitions and removable storage media the hard disk encrypted partitions and removable storage media information: all ] and all operations that cause that information to flow to and from subjects covered by the SFP. Application Note: Encrypted partitions are the partitions on the hard disk that have been encrypted through the initial encryption process. This is done during installation or as a management function, as specified in FMT_MOF.1. FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TSC to flow to and from any subject in the TSC are covered by an information flow control SFP. FDP_IFF.1 Simple security attributes FDP_IFF.1.1 The TSF shall enforce the [On-the-Fly Decryption/Encryption SFP] based on the following types of subject and information security attributes: [ subjects: all processes that access the client hard disk encrypted partitions and removable storage media encrypted files - read and write instructions; the hard disk encrypted partitions and removable storage media files - encrypted information- file status (ENCRYPTED, or PLAINTEXT), relative sector address.] FDP_IFF.1.2 FDP_IFF.1.3 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [none, all information flows through the TOE]. The TSF shall enforce the [none]. FDP_IFF.1.4 The TSF shall provide the following [ a) For information flows where the subject is performing a write to a hard disk partition the TSF will encrypt the data using AES 2008 GuardianEdge Technologies Inc. Page 20 of 75

21 (FCS_COP.1.1) in Cipher Block Chaining (CBC) mode using the WEK key and an Initialization Vector (IV) derived from the relative sector address with a PRNG. b) For information flows where the subject is performing a read from a hard disk partition the TSF will decrypt the data using AES (FCS_COP.1.1) in Cipher Block Chaining (CBC) mode using the WEK key and an Initialization Vector (IV) derived from the relative sector address with a PRNG. c) For information flows where the subject is performing a write to removal storage device media, if the file is decrypted, the TSF will encrypt the data using AES (FCS_COP.1.1) in Cipher Block Chaining (CBC) mode using the FEK key and an Initialization Vector (IV) derived from the block offset from the head of the encrypted data with a PRNG. d) For information flows where the subject is performing a read from a removal storage device, if the file is encrypted, the TSF will decrypt the data sector using AES (FCS_COP.1.1) in Cipher Block Chaining (CBC) mode using the FEK key and an Initialization Vector (IV) derived from the block offset from the head of the encrypted data with a PRNG. ]. FDP_IFF.1.5 FDP_IFF.1.6 The TSF shall explicitly authorise an information flow based on the following rules: [none]. The TSF shall explicitly deny an information flow based on the following rules: [none] Identification and Authentication (FIA) FIA_AFL.1 Authentication failure handling FIA_AFL.1.1 FIA_AFL.1.2 The TSF shall detect when [a Policy Administrator configurable positive integer defined at installation] unsuccessful authentication attempts occur related to [the unsuccessful authentication attempts for the current logon process]. When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [delay the logon process for 60 seconds.] Application Note: Requirement element FIA_AFL.1.1 applies to FIA_UAU.2 and FIA_UID.2. Application Note: The number of unsuccessful attempts before logon delay, as part of the password policy, is determined by the Policy Administrator at installation. This value is set to one in the evaluated configuration GuardianEdge Technologies Inc. Page 21 of 75

22 FIA_SOS.1 Verification of secrets FIA_SOS.1. The TSF shall provide a mechanism to verify that secrets meet [the following password complexity rules defined by the Policy Administrator at installation: Minimum of eight total characters, At least one non-alphanumeric character; At least one UPPERCASE letter (A-Z and 32 accented uppercase characters); and At least one digit (0-9).] Application Note: This requirement applies to both iterations of FIA_UAU.2 and FIA_UID.2. FIA_UAU.2 User authentication before any action (user access to Client Computer) FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. FIA_UAU_TOE_EXP.2 User authentication before any action (Client console) FIA_UAU_TOE_EXP.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions from the Client Console interface on behalf of that user. FIA_UAU.7 Protected authentication feedback FIA_UAU.7.1 The TSF shall provide only [display of bullet characters in place of characters typed] to the user while authentication is in progress. Application Note: This requirement applies to both iterations of FIA_UAU.2 and FIA_UID.2. FIA_UID.2 User identification before any action (user access to Client Computer) FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF-mediated actions on behalf of that user. FIA_UID_TOE_EXP.2 User identification before any action (Client console) FIA_UID_TOE_EXP.2.1 The TSF shall require each user to identify itself again before allowing any other TSF-mediated actions from the Client Console interface on behalf of that user Security Management (FMT) FMT_MOF.1 Management of security functions behaviour FMT_MOF.1.1 The TSF shall restrict the ability to [disable, enable] the functions [ On-the-fly decryption/encryption of a hard disk partition; Terminal decryption of a hard disk partition 2008 GuardianEdge Technologies Inc. Page 22 of 75

23 ] to [the Client Administrator] FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the [On-the-Fly Decryption/Encryption SFP] to restrict the ability to [modify] the security attributes [the hard disk encrypted partitions] to [Client Administrator]. FMT_MSA.2 Secure security attributes FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for security attributes. FMT_MSA.3 Static attribute initialisation FMT_MSA.3.1 FMT_MSA.3.2 The TSF shall enforce the [On-the-Fly Decryption/Encryption SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. Application Note: Element 3.2 specifies that no one can change the default value for the attributes used to enforce the SFP. When a new partition is added the default will always be restrictive. The Client Administrator can change the attribute for the partition using FMT_MSA.1. FMT_MTD.1 Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [see table below] the [see table below] to [see table below]. Table 3 Management of TSF Data in the TOE Operations TSF Data Roles Remove Registered user identifier Client Administrator Change Own Password Registered user Change Decrypt the disk Client Administrator Change Encrypt the disk Client Administrator and registered user View Evaluated Configuration Setting from Installation Process -password policy -Client Monitor disabled -Authenti-Check and One-Time Password disabled -Single Sign-On disabled -Token authentication disabled -Autologon disabled -Grace restarts disabled -Disk status (encrypted/decrypted) -Removable Storage access and encryption policies Client Administrator and Registered user 2008 GuardianEdge Technologies Inc. Page 23 of 75

24 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [ Initial encryption/terminal decryption Audit ] Application Note: The initial encryption/terminal decryption management function is the mechanism for modifying the SFP on-the-fly decryption/encryption function; therefore, the on-the-fly function is not listed because it is redundant. FMT_SMR.1 Security roles FMT_SMR.1.1 FMT_SMR.1.2 The TSF shall maintain the roles [Client Administrator, Policy Administrator, registered user]. The TSF shall be able to associate users with roles. Application Note: The Policy Administrator only creates the installation files and has no management functions associated with the TOE following installation Protection of the TSF (FPT) FPT_RVM.1(1) Non-bypassability of the TSP (TOE) FPT_RVM.1(1).1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. FPT_SEP_TOE_EXP.1 TSF partial domain separation FPT_SEP_TOE_EXP.1The TSF shall maintain a security domain that protects it from interference and tampering by untrusted subjects initiating actions through its own TSFI FPT_TST.1 TSF testing FPT_TST.1.1 FPT_TST.1.2 FPT_TST.1.3 The TSF shall run a suite of self tests [during initial start-up] to demonstrate the correct operation of [GEFS]. The TSF shall provide authorised users with the capability to verify the integrity of [GEFS]. The TSF shall provide authorised users with the capability to verify the integrity of stored TSF executable code TOE Access (FTA) FTA_TAB.1 Default TOE access banners FTA_TAB.1.1 Before establishing a user session, the TSF should display an advisory warning message regarding unauthorized use of the TOE GuardianEdge Technologies Inc. Page 24 of 75

25 5.1.2 TOE SECURITY ASSURANCE REQUIREMENTS This section lists the assurance requirements the TOE will meet to be evaluated at Evaluation Assurance Level 4. The following components are taken from CC part 3. The components in the following section have no dependencies unless otherwise noted. These components are included by reference only as there are no parameters to be assigned; the body can be found in CC part 3. ACM_AUT.1 Partial CM Automation ACM_CAP.4 ACM_SCP.2 ADO_DEL.2 ADO_IGS.1 ADV_FSP.2 ADV_HLD.2 ADV_IMP.1 ADV_LLD.1 ADV_RCR.1 ADV_SPM.1 Generation Support and Acceptance Procedures Problem Tracking CM Coverage Detection of Modification Installation, generation, and start-up procedures Fully defined external interfaces Security enforcing high-level design Subset of the implementation of the TSF Descriptive low-level design Informal correspondence demonstration Informal TOE security policy model AGD_ADM.1 Administrator guidance AGD_USR.1 ALC_DVS.1 ALC_LCD.1 ALC_TAT.1 ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 User guidance Identification of Security Measures Developer defined life-cycle model Well defined development tools Analysis of coverage Testing: high-level design Functional testing Independent testing sample AVA_MSU.2 Validation of Analysis AVA_SOF.1 AVA_VLA.2 Strength of TOE security function evaluation Independent vulnerability analysis STRENGTH OF FUNCTION The overall strength of function requirement is SOF-medium. The strength of function requirement applies to FIA_SOS.1 which constrains the passwords used for the password-based authentication mechanism defined in FIA_UAU.2 and FIA_UAU.2. The SOF claim for this requirement is SOF-medium. The strength of the 2008 GuardianEdge Technologies Inc. Page 25 of 75

26 secrets mechanism is consistent with the objectives of authenticating users (O.PARTIAL_TOE_ACCESS). Strength of Function shall be demonstrated for the password-based authentication mechanisms to be SOF-medium, as defined in Part 1 of the CC. Specifically, the local authentication mechanism must demonstrate adequate protection against attackers possessing a moderate attack potential. 5.2 Security Requirements for the IT Environment The following requirements are taken from CC part 2 except for those explicitly stated, denoted by _EXP in the SFR ID. Table 4 Functional Components for the IT environment Item SFR ID SFR Title 30. FAU_SAR.1 Audit review 31. FAU_STG.1 Protected audit trail storage 32. FIA_UAU_ENV_EXP.2 User authentication before any action (Client Computer O/S) 33. FIA_UID_ENV_EXP.2 User identification before any action (Client Computer O/S) 34. FPT_AMT.1 Abstract machine testing 35. FPT_RVM.1(2) Non-bypassability of the TSP (Platform) 36. FPT_SEP_ENV_EXP.1 TSF Environment partial domain separation 37. FPT_STM.1 Reliable time stamps Security Audit (FAU) FAU_SAR.1 Audit review FAU_SAR.1.1 FAU_SAR.1.2 Refinement: The IT environment shall provide [authorised users] with the capability to read [all] from the audit records. Refinement: The IT environment shall provide the audit records in a manner suitable for the user to interpret the information. FAU_STG.1 Protected audit trail storage FAU_STG.1.1 FAU_STG.1.2 Refinement: The IT environment shall protect the stored audit records from unauthorised deletion. Refinement: The IT environment shall be able to [prevent] unauthorised modifications to the stored audit records in the audit trail Identification and Authentication (FIA) FIA_UAU_ENV_EXP.2 User authentication before any action (Client Computer O/S) FIA_UAU_ENV_EXP.2.1 The IT Environment shall require each Client Computer user after the initial start-up to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user GuardianEdge Technologies Inc. Page 26 of 75